Security is a part of our work as developers. We need to ensure our applications against malicious attacks. SQL Injection is one of the most common possible attacks. Basically SQL Injection is one kind of attack that happens when someone injects SQL statements in our application. You can find a lot of info about SQL Injection attack. Basically you need to follow the security golden rule: "Filter input, Escape output".

He advocates the use of the PDO abstraction layer to filter out a lot of the issues. Using its prepared statements, you can easily strip out things that just adding slashes to user input wouldn't prevent. He also includes a reminder about database permissions - allowing only certain users the ability to, for example, delete can help provide one more level of security (in other words, don't use a "super user" in production).

]]>Wed, 08 Feb 2012 08:07:05 -0600http://www.phpdeveloper.org/news/17207http://www.phpdeveloper.org/news/17207
On the NetTuts.com site today they have a (very complete) guide to help you wrangle the Facebook Graph API and make it useful for your application. It makes use of the official Facebook PHP SDK to interface with the Graph API.

Have you ever wanted to learn how to make your applications more social with Facebook? It's much easier than you think! In this tutorial, we'll be building an application that reads and publishes data to and from Facebook using Facebook's Graph API.

The tutorial helps you get signed up on the Facebook developer site, create a first sample application, set up the SDK and make a simple page (with an added bonus of using the Twitter Boostrap for look/feed). There's a section covering permissions, what kind of data you can expect publicly for both users and posts. They wrap it up with an example of posting back to Facebook though the API and updating the status on your account. The complete code for the tutorial is also available for download.

]]>Fri, 02 Dec 2011 13:37:09 -0600http://www.phpdeveloper.org/news/17165http://www.phpdeveloper.org/news/17165
In the fourth part of their series looking at working with the filesystem in PHP, DevShed has posted a new tutorial focusing on security and permission handling for files/resources.

These days, security is paramount to any server installation, large or small. Most modern operating systems have embraced the concept of the separation of file rights via a user/group ownership paradigm, which, when properly configured, offers a wonderfully convenient and powerful means for securing data. In this section, you'll learn how to use PHP's built-in functionality to review and manage these permissions.

]]>Wed, 23 Nov 2011 16:23:27 -0600http://www.phpdeveloper.org/news/14881http://www.phpdeveloper.org/news/14881
On NETTUTS.com today there's a new detailed tutorial on how to use the access control list functionality that comes with the CakePHP framework.

If you're building a CMS, you'll probably need different user roles'"superusers, admins, users - with different permission levels. Too complicated to code? Enter CakePHP's ACL (Access Control Lists). With the right setup, you'll be checking user permissions with just one line.

They talk about what "access control lists" are but shows you an example of one including the database tables and the full scripts for the Users controller, a model to hook into the database and the view for output to the user. They include methods for denying access, checking permissions, and modifying a user's permissions.

]]>Fri, 30 Jul 2010 15:13:20 -0500http://www.phpdeveloper.org/news/14287http://www.phpdeveloper.org/news/14287
In the next part of his Zend_Navigation series Brandon Savage takes a look at integrating it with Zend_Acl to add permissions/roles into the mix, showing certain things for certain users.

What happens when you have special areas of your site, say for subscribers or administrators? Controlling access is something that all web developers must do at some point. This is where integration between Zend_Navigation and Zend_Acl comes in.

He shows how to set up the access control levels for an "Admin" section in an example navigation array. It uses the "resource" and "privilege" attributes to define the group and role that has access to that navigation item. Then, with a "setAcl" call you can pull that information in and the two lines of code to output it.

]]>Fri, 02 Apr 2010 08:59:55 -0500http://www.phpdeveloper.org/news/12345http://www.phpdeveloper.org/news/12345
Justin had written up a previous article with a few quick ways to secure your WordPress blog and he's come back with a few more helpful hints on how to keep you and your blog safe.

The following is a list of some additional changes that you can make to improve the security of your wordpress installation (Backup wp-config.php and your db tables before trying the following).

Change permissions on the WordPress to only be writable by you and root

]]>Wed, 15 Apr 2009 11:19:47 -0500http://www.phpdeveloper.org/news/9305http://www.phpdeveloper.org/news/9305
On her blog Nessa has a brief look at working with permissions with PHP via three functions - chown, chgrp and chmod.

PHP uses the same command as *nix systems when dealing with changing permissions for files. These commands are particularly useful in situations where PHP runs as a different user on the system, which is common when PHP is compiled as an Apache user.

She includes a basic syntax for each of them and how one (chmod) could be used in an example of file creation.

]]>Mon, 24 Dec 2007 09:22:00 -0600http://www.phpdeveloper.org/news/9022http://www.phpdeveloper.org/news/9022
Rob Thompsonpassed along some information that PHP users running on Solaris might want to check out - the slightly buggy behavior of the PHP getcwd function on the platform.

Many functions within the PHP codebase relied upon a universally working getcwd() [C] call to expand paths and to find out where a script is being executed. In particular, Solaris does not assume that getcwd() is a privilege that should be granted to users in directories that don't have 'r' (read) permission, even if it has 'x' (execute) permissions. [...] Under Linux, getcwd() behaves normally but under Solaris, getcwd() does not work with the --x restrictive permissions.

He does note, happily, that this issue is cleared up with an upgrade to PHP 5.2.5 as soon as possible. He had code snippets included in the post so you can test your installation for the problem too.

]]>Mon, 12 Nov 2007 13:47:00 -0600http://www.phpdeveloper.org/news/6255http://www.phpdeveloper.org/news/6255
Sometimes, a technology sounds like a great, simple answer to all of your problems. That, however, was not the experience of this blogger when checking out SQLite on Windows.

My first task at my new job was a simple enough one. All our customers have a review site that has a list of contacts. The file was contacts.html and it was just a static html file.

Since there are already 100s of sites using the static html, I wanted to avoid any kind of complex migration or external database. I decided to give SQLite a try since the db files are so portable. Each site would have it's own database with a single contacts table. Simple right? Let me go over all the problems I ran into.

He starts off with the fact that SQLite 3 doesn't work with PHP (different client drivers in PHP) and that PHP doesn't like SQLite 2 all that much either. His third and final experience? That SQLite isn't the brightest when it comes to working with directory permissions.

]]>Tue, 12 Sep 2006 16:16:02 -0500http://www.phpdeveloper.org/news/6116http://www.phpdeveloper.org/news/6116
DevShed has a new tutorial posted today with a look at one of the more common tasks performed with PHP (second to generating web pages, of course) - working with files. It can be a little tricky for a budding PHP programmer, but they've got the info you need to get started.

Reading and writing to files can be useful if you do not require the storing of important data, such as a web counter. I must warn you though, that this method of storage should not be used to store passwords and other critical information, as it is not safe. Here we will discuss how to handle files and directories in PHP, specifically, how to create, read and write them.

They start off with a look at file permissions on both Unix and Windows systems ot give you an idea of what problems they could cause. Then, it's on to the actual files themselves - for this part, though, they only look at reading them in and working with their contents.